[Journalbeat] Can't read journal logs since systemd 246 #22129
Labels
Comments
botelastic
bot
added
the
needs_team
mickymiek
changed the title
andresrc
added
the
Team:Services
|
Pinging @elastic/integrations-services (Team:Services) |
botelastic
bot
removed
the
needs_team
|
This needs to be fixed in the |
|
@kvch In addition to that, there is that issue (also related to systemd 246+): #23220 (comment) |
|
How we can replicate the issue with minimal configurations journalbeat:7.10.2 has issues with Fedora 33.2.* (CoreOS)What we will do to replicate the issue
Expected Output
Behaviour on Fedora 33.20210104.3.1 (CoreOS)
[root@ip-172-16-6-197 core]# cat /etc/os-release | egrep "PRETTY_NAME"
PRETTY_NAME="Fedora CoreOS 33.20210104.3.1"Setup the journalbeat.yml [root@ip-172-16-6-197 log]# cat /tmp/journalbeat.yml
logging.level: debug
logging.to_files: true
logging.files:
path: /var/log/journalbeat
name: journalbeat
keepfiles: 7
permissions: 0644
output.console:
pretty: true
journalbeat.inputs:
- paths: ["/var/log/journal"]
seek: tailDo we have something to read [root@ip-172-16-6-197 log]# ls /var/log/journal/ec202d401c5992820776e21d113a6d85/
system.journal user-1000.journalLet's start the docker journalbeat sudo docker run \
--rm --name=journalbeat \
--user=root \
--volume="/var/log/journal:/var/log/journal" \
--volume="/etc/machine-id:/etc/machine-id" \
--volume="/run/systemd:/run/systemd" \
--volume="/tmp/journalbeat.yml:/usr/share/journalbeat/journalbeat.yml" \
docker.elastic.co/beats/journalbeat:7.10.2 journalbeat -e -strict.perms=false
.
.
2021-02-02T08:30:04.594Z INFO [journalbeat] beater/journalbeat.go:93 journalbeat is running! Hit CTRL-C to stop it.
2021-02-02T08:30:04.597Z INFO [monitoring] log/log.go:118 Starting metrics logging every 30sPROOF OF ISSUE 1
[root@ip-172-16-6-197 core]# echo 'hello world' | systemd-cat -p info
PROOF OF ISSUE 2
[root@ip-172-16-6-197 core]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69be0030b5c0 docker.elastic.co/beats/journalbeat:7.10.2 "/usr/local/bin/dock…" 4 minutes ago Up 4 minutes journalbeat
[root@ip-172-16-6-197 core]# docker exec -it journalbeat sh
sh-4.2# cd /var/log/journal/ec202d401c5992820776e21d113a6d85/
sh-4.2# journalctl
Journal file /var/log/journal/ec202d401c5992820776e21d113a6d85/system.journal uses an unsupported feature, ignoring file.
-- No entries --
sh-4.2# journalctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
[root@ip-172-16-6-197 core]# journalctl --version
systemd 246 (v246.7-1.fc33)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unifiedWhat is the root cause ?I am not sure but i think
Have tested this scenario on Fedora 31.* (CoreOS) and it works as expected |
|
Does journalbeat read them when it is executed directly on the host? In that case it would be using the same systemd library as the host (rather than the one shipped in the journalbeat container (219)). |
|
Closing as inactive and Journalbeat is removed in 7.16. Please use |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Journalbeat has stopped working for us since the version 246 of systemd is out.
This seems to be the culprit: https://github.com/systemd/systemd/blob/93caec7ed612c3d5d62ee092774bb481995fc05e/NEWS#L2049-L2057
We made it work again by setting
SYSTEMD_JOURNAL_KEYED_HASHto 0 in systemd-journald.service. It would make sense to do what's needed for journalbeat to work without this workaround.Would be happy to help if needed !
The text was updated successfully, but these errors were encountered: